Ransomware Strikes Back: How Reynolds BYOVD Driver Outsmarts EDR Security Measures

Reynolds Ransomware: A New Threat with Built-in Defense Evasion Component

A recent disclosure by cybersecurity researchers has shed light on a new ransomware strain known as Reynolds. What sets this threat apart is its unique feature of incorporating a built-in bring your own vulnerable driver (BYOVD) component within the ransomware payload itself. This component is specifically designed for defense evasion purposes, allowing malicious activities to go unnoticed.

The concept of BYOVD involves exploiting legitimate but flawed driver software to escalate privileges and disable Endpoint Detection and Response (EDR) solutions. While this technique has been utilized by various ransomware groups in the past, Reynolds takes a different approach by bundling the vulnerable driver (NsecSoft NSecKrnl driver) directly with the ransomware.

According to the Symantec and Carbon Black Threat Hunter Team, this tactic of embedding a defense evasion component within the ransomware payload is not entirely new. Similar strategies have been observed in previous attacks, such as Ryuk ransomware in 2020 and the lesser-known Obscura ransomware family in late August 2025.

In the Reynolds campaign, the ransomware is programmed to drop the vulnerable NsecSoft NSecKrnl driver and terminate processes associated with popular security programs like Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos, and Symantec Endpoint Protection, among others.

Notably, the NSecKrnl driver is susceptible to a known security flaw (CVE-2025-68947, CVSS score: 5.7) that can be exploited to terminate arbitrary processes. Threat actors, including Silver Fox, have previously leveraged this driver in attacks aimed at disabling endpoint security tools prior to deploying ValleyRAT.

Over the past year, malicious actors have increasingly used legitimate but flawed drivers, such as truesight.sys and amsdk.sys, in BYOVD attacks to bypass security measures. By integrating defense evasion and ransomware capabilities into a single component, attackers make it more challenging for defenders to thwart the attack effectively.

The presence of a suspicious side-loaded loader on the target’s network weeks before the ransomware deployment in the Reynolds campaign raises further concerns. Additionally, the deployment of the GotoHTTP remote access program post-ransomware deployment suggests a concerted effort by the attackers to maintain persistent access to compromised hosts.

BYOVD remains a favored technique among cybercriminals due to its effectiveness and reliance on legitimate, signed files that are less likely to trigger security alerts. Combining defense evasion capabilities with ransomware payloads streamlines the attack process and reduces the need for separate steps by affiliates.

Recent developments in the ransomware landscape have underscored the evolving tactics and sophistication of threat actors:

• A phishing campaign leveraging Windows shortcut attachments to deliver the GLOBAL GROUP ransomware locally on compromised systems.
• Abuse of virtual machines by ransomware operators to host and distribute malicious payloads at scale.
• Exploitation of misconfigured S3 buckets on Amazon Web Services for data manipulation and theft.
• The professionalization of ransomware operations, including the introduction of new services to support affiliates during extortion campaigns.
• The emergence of LockBit 5.0 with enhanced encryption capabilities and anti-analysis techniques.
• The Interlock ransomware group leveraging a zero-day vulnerability to disable security tools in a BYOVD attack.

As ransomware activity continues to rise, it is crucial for organizations to enhance their cybersecurity posture and implement robust defense mechanisms to mitigate the risk of falling victim to such attacks.